filebeat配置
#表示的是會把 service作為fields的二級字段
filebeat.inputs: - type: log enabled: true paths: - /var/log/aa.log fields: service: aa - type: log enabled: true paths: - /var/log/messages* fields: service: message
fields_under_root:如果該選項設置為true,則新增fields成為頂級目錄,而不是將其放在fields目錄下。自定義的field會覆蓋filebeat默認的field。例如添加如下配置:
#表示的是會把 service作為fields頂級字段
fields: service: message fields_under_root: true
logstash配置
#表示的是會把 service作為fields的二級字段logstash配置
output { stdout { codec => json } elasticsearch { hosts => ["https://node01:9200","https://node02:9200","https://node03:9200"] ssl => true cacert => "/home/logstash/logstash-7.5.1/config/certs/ca.crt" index => "logstash-%{[fields][service]}-%{+YYYY.MM.dd}" user => "logstash_writer" password => "logstash" } }
#表示的是會把 service作為fields的頂級字段logstash配置
output {
stdout {
codec => json } elasticsearch { hosts => ["https://node01:9200","https://node02:9200","https://node03:9200"] ssl => true cacert => "/home/logstash/logstash-7.5.1/config/certs/ca.crt" index => "logstash-%{
也可以這樣寫
if [fields][service] == 'aa' { elasticsearch {
hosts => ["https://node01:9200","https://node02:9200","https://node03:9200"]
index => "logstash-aa-%{+YYYY.MM.dd}"
user => "logstash_writer"
password => "logstash"
}
}
if [fields][service] == "messages" {
elasticsearch {
hosts => ["https://node01:9200","https://node02:9200","https://node03:9200"]
index => "logstash-messages-%{+YYYY.MM.dd}"
user => "logstash_writer"
password => "logstash"
}
}